That’s right, policies, not technology, hinder faster adoption of key security protections. Not all is lost, though, as
some signs point to potential breakthroughs.

Advances are already being made as many medicaldevice manufacturers are embedding strong security intothe devices they have in development. In the years ahead,when these new products go to market, they will be betterequipped to deal with the security threat landscape thandevices in use today. These new devices will be capable ofpreventing unauthorized access, encrypting data transmit-ting to or from devices, stopping malware, and ensuringthe integrity of patient care. Many medical device manu-facturers are implementing other sorely-needed securitypractices such as secure design, coding and testing. Manyare also performing risk assessments on their devices to un-derstand and rank the potential vulnerabilities. Others, likePhilips and Johnson & Johnson, have adopted reportingprocesses that healthcare providers canuse to report device vulnerabilities theydiscover. Recently, “white hat” research-ers have begun collaborating with bothhealthcare providers and medical devicemanufacturers to improve security forproviders and patients. All of this activ-ity is positive and is moving the industryin the right direction.

As encouraging as this progress is, largechallenges remain as the industry awaitsthe arrival of more secure devices that willarrive in the next few years. For example,who believes the security approaches beingintegrated now will still be sufficient in thenext two to five years? Given how quicklytechnology is evolving, the current medicaldevice product lifecycle is too long to keepup with bad actors discovering new andmore sophisticated approaches for hackingconnected devices. Device manufacturersneed to be able to continually update security on devicesthrough all stages of the product lifecycle to ensure all devicesmeet the most up-to-date security best practices.

What about the challenge of addressing the securityvulnerabilities with legacy medical devices? Do healthcareproviders have to wait for new technology to emerge, oris there something that can be done in the interim to helpsecure legacy devices? In the recent draft guidance given inthe Post Market Management of Cybersecurity in MedicalDevices, the Food and Drug Administration (FDA) pro-vided helpful clarification about improving the security ofmedical devices. The guidance states:Changes to a device that are made solely to strengthencybersecurity are typically considered device enhance-ments, which may include cybersecurity routine updatesand patches, and are generally not required to be reported,under 21 CFR 806.10.